... and routing table/vrfIt will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
..and the possibility to set source address (e.g. remote ipsec hosts)Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
Netwatch can trigger a script.Hey, Mikrotik team!
Please extend "netwatch" funtionality a little bit. It is a nice feature, but so undeveloped.
It will be nice to have an option to set amount of ping to send before change status to down and at its frequency.
+1Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.
Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
It might be nice to have an option for color in the logs.Hi.
It will be nice to have an option to make color-able any log entry.
For example, I wanna paint wifi log to green, ppp log to purple, interface log to cyan... or to other color, so I can find then faster with an eyeblick.
(I think, ANSI colors would be enough, but more color, more fun.)
An please, put a "find" option to log.
Best regards: Xen
You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on?
How about instead we look to the future: WireGuard https://www.wireguard.io
Clients for every major OS, modern cryptography, and the performance looks pretty amazing:
Screen Shot 2017-06-10 at 23.44.39.png
I hope 2018 will be the year that MikroTik finally continue working on IPv6 support.It should be very simple to add support for selecting the bits of the IPv6 RA
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip settings
set allow-fast-path=no
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=from-dscp-high-3-bits passthrough=yes
I'd like to re-request the function of rinetd.
Never heard of that before, but I did similar things in the past using "netcat" ("nc")I'd like to re-request the function of rinetd.
https://boutell.com/rinetd/
http://brewformulas.org/Rinetd
You can do the same thing on a MikroTik using a src-nat and a dst-nat rule!We have several applications, where local devices cannot change their default gateway (DSL or LTE modems for example), which do not point to the mikrotik router. So port forwarding does not allow uns to access these devices from remote (telnet, SSH, webinterface, SNMP, ...).
HOW???A local linux box running rinetd gives us access to this device. But a local linux box adds €/$ 200,- to the budget.
Another +1 for me. Please implement this, as WireGuard is steadily moving towards mainline kernel inclusion.Vote for https://www.wireguard.com/ , nice VPN which appears to be supported in systemd 237 (read: on every modern Linux - https://github.com/systemd/systemd/pull/4191 ). Universal VPN technology so to say, just a shame not to be able to connect to.
This is just a special case of the generic feature request to have some way of sharing settings in winbox between a large number of routers.it would be great if it would at least remember my settings between routers
But then I have to do that on each of the hundreds of routers in my Winbox managed sessions list.... Right? I guess my point is that I see no reason at all why someone would not want to see the dashboard information in the upper right. Is there a reason? It's just extra stuff (menu options) that doesn't need to be there. Turn them on all the time for every session and just get rid of the Dashboard menu.This is already possible.
Connect to one router. Set columns you want to see, open windows etc.
Select session/save as
Next time before connecting to new router pick saved session.
.The maximum possible value for "Max Limit" and "Burst Limit" and "Burst Threshold" is "4294M"
The Simple queue will not accept any higher numbers.
That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidthSeems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
This is what I have been asking for several times over the years. It's good someone else now asks again.- there should be some way to "save as default"
- there should be some way to interconnect the settings of a Group, so when you add some column to one window in one router out of that group, it is then also shown in all other routers from that group that you already had added (maybe some way to allow an entire group to share a single session file)
- and of course: the widget to select colums should be improved. add a dialog that can be opened that shows all possible columns with a checkmark field, allow the user to select/unselect multiple columns, and click OK to finish. this instead of the cumbersome column list that has to be accessed via 2 levels of menues and often does not fit on the screen so has to be scrolled as well.
Well, I would suppose that if somebody (like me) needs a simple-queue setting in any of the fields greater than 4294-Meg, then they are likely running something with a big-beefy-CPU , such as a CHR on a fast Xeon processor or possibly a high-end or current or future Mikrotik hardware product.That is correct, the underlying Linux mechanisms being used have limitations and it was likely designed with the rationale "when you have that much bandwidthSeems like setting is set in 32-bit integer with unit of bits per second. This might pose an architectural problem and we can only hope it can be solved easily.
it is not really required to shape it". It also would incur a lot of CPU overhead to do that.
+1Selectable auth mechanisms for RADIUS-based AAA on system login.
currently it varies based on the access vector, and Winbox requires chap which requires reversible cryto / plaintext password store.
Or add LDAP auth client, but I'm sure simply allowing MS-CHAPv2 / PAP as auth mechanisms for existing RADIUS would be a much easier solution.
Cant you already do that via firewall, dont understand what more you need, if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..Hello
to disable DNS attacking
please add listen address on better from use ip firewall filters
/ip dns allow-remote-requist=yes
/ip dns listen-src-address=192.168.88.0/24,x.xx,y.y.y
Regards
All other services have something like that. Api, ftp, ssh, telnet, winbox and www have "available from" option in IP->Services, smb allows to choose interface. If it makes sense for them, surely it would make sense for dns too.... if you want to block DNS requests form outside net, or alow only DNS requests from that ip range simple make firewall rule with tcp/udp 53 ports..
this might be two things however. while the interface statistics could be worked out with "/tool graphing" even with resource visibility separation - currently using src ip address as differentiator - the "editing" part is tough. so if you can separate your customers based on ip address, you can define which interface/queue/resource the user may be viewing on the router's web gui.With the use of interface-lists, set customized permissions to which interfaces a user (and preferably also snmp community) can see or make changes to.
Some of our clients like to have read access to our routers, but sometimes it's a router supplying more than one client and giving even read access would mean they could see every other customer in it.
Currently we work around this using Traffic Flow, but it's not real time and generates a lot of traffic and CPU overhead.
You will have to learn and understand that you should use QuickSet only ONCE and not look at it later!Quick Set - It's working with WPA1 password. It doesn't recognise, when you manually set WPA2-PSK AES only password. It requires also setting WPA1 password (even if WPA1 is not allowed), otherwise Quick Set shows WiFi password red and empty (WPA2 only is used)
Do you know dst-nat ?I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533
The purpose is to get DNS service from non default port DNS Server.
Any response is greately appreciated,
Thank You
There are some non port 53 DNS configurations/uses.Is there any DNS server on port other than 53?..
The intended use case is probably where the ISP blocks or redirects access to port 53 outside (only allowing acces to their own resolvers)There are some non port 53 DNS configurations/uses.
Current RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.Not worth it to make a change in the router for that, just use dst-nat.
Ok apparently it needs a real loop, I was thinking about adding a loopback interface (an empty bridge with an IP address) and sending the DNS queries there.But something can be done. I posted possible solution in the other thread, because it belongs there more. But I don't like it.
It is not a limitation of those routines, but of the maximal length of a variable content.file get contents
Increase threshold 4096 byte, while reading the file or make the file reading by pieces. 4K is too little!
I have a solution to decrease costs with DNS filters like OpenDNS or SafeDNS, using a DNS resolver intermediate on UDP port 5353. All my 100 MK with different valid IPs points to this resolver.Is there any DNS server on port other than 53?..
1.3.6.1.4.1.9.9.150.1.1.1.0
/interface pppoe-server print count-only where service=service5
You can have this info from the radius server. (if used)Feature Request:
Actually it's possible to get a total number of active PPPoE sessions via SNMP using this OID:But if we could get this number in a per interface (or PPPoE Server name) basis, should help to detect and troubleshoot issues when usingCode: Select all1.3.6.1.4.1.9.9.150.1.1.1.0
Mikrotik routers as BRAS/BNG/PPPoE Server.
If a large number of active sessions from a specific interface or servicename drops suddenly, any monitoring application can trigger an alarm for that interface/servicename.
To workaround we can use this:BUT it should be a nice feature to add to SNMPCode: Select all/interface pppoe-server print count-only where service=service5
/tool sniffer set filter-ip-protocol=udp filter-port=32000-32255
i have run several DNS servers using many port other than 53, the purpose is for internet filtering, users can select filtering level by choosing dns port, check out https://www.thenetpurifier.com/filtering.phpIs there any DNS server on port other than 53?..
vote +1 for dstnat in output chainCurrent RouterOS stores IP address of resolver and uses hardcoded port 53. Changing it to store IP address and port doesn't sound like anything big. But I guess dstnat would be enough. It's just that as it is now, you can do it only for clients, not for router itself. If router requires resolver on alternative port for own use, or if you want alternative port and also router as resolver for clients (because of caching, or because you want to override some records), you can't do it. It would require support for dstnat in output chain.Not worth it to make a change in the router for that, just use dst-nat.
dst-nat not working in output chain, AFAIKDo you know dst-nat ?I've been waiting for along time MikroTik can provide alternative port for IP DNS Setting, other than 53 (default)
normally user input value ip address such as 8.8.8.8 and 8.8.4.4 for IP DNS Setting
alternative port, for example, can be set as easy as 8.8.8.8:553 and 8.8.4.4:533
The purpose is to get DNS service from non default port DNS Server.
Any response is greately appreciated,
Thank You
If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS). And any sensible server allows to add unknown record types using generic syntax. If you have hosted DNS and you depend on some admin interface, it's another story and I guess support there will be very bad. That was the authoritative part. Resolvers should be transparent for unknown types since forever.There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
I googled for it and I cannot find any DNS server that has documented APL support, including Bind. We use bind 9.If you have your own authoritative servers, some already have native support for APL (at least BIND and Knot DNS).There is the experimental APL record type (RFC3123) which would be exactly what is needed, but it isn't supported in DNS servers.
So, you'll need to enter encryption password each time router reboots?Encrypt nand filesystem, so when some thieve unsolder it, cant read my config.
1+Please, implement bandstearing for wifi, especially in CAPsMAN.
Please, add support 802.1x for wire interfaces.
Yes! +1, pretty please?Please, add support 802.1x for wire interfaces.
/system telnet address=192.168.1.20 port=80
Sorry Normis, and no disrespect to you, but what does influence this list? People screaming for proper vrf seperation, IPSec VTI Support, DHCP Option 82 Snooping in ROS, Proper BNG Features, IPv6 Needs alot of fixing, BFD (YMMV), BGPv4 MIB and many others.no, the list does not influence our priorities, just gives us ideas about what people want to see.
[me@router] > put [ping 8.8.8.8 count=3]
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 57 9ms
1 8.8.8.8 56 57 10ms
2 8.8.8.8 56 57 8ms
sent=3 received=3 packet-loss=0% min-rtt=8ms avg-rtt=9ms max-rtt=10ms
3
There is indeed. Thanks Sob, you are a legend!@Wyz4k: There's also Select All in right-click menu.
Hi Chupakha I just wanted to say thanks for your patience, I am just a tad slow and finally get what you are saying.The same with TCP Flags and ICMP Option in Advanced tab.
Also, DO NOT OPEN Bridge -> Filters, there are 4 tabs and ALL OF THEM are like EXTRA! xD
So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
That is one way of doing it, but it does not really work well. Clients have to "hop" between access points and this often only happens when the signal hasSo what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.
One of the problems with RFCs and standards is that often 90% of manufacturer network devices only follow RFCs and standards by only 90%.Yeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
There are standards for fast handover but they weaken the security. Also there are standards to provide roaming information so the clients know what other AP's to lookYeah, but pe1chl tells about old wifi clients who cannot switch to another AP without timeout/diassoc on current AP. Anyway, by wifi standards it's up to the client how to select APs and when to switch...
There is only one association, a client does not reassociate if they move from one AP to another. There is not a loss of service when a client moves to a closer AP.So what's the actual 'feature'? You just use same SSID and same security settings - and it works like this. Even if you mix MikroTik, TP-Link, Cisco APs, etc.I'm sure this is an extreme long shot for a feature but having multiple radios broadcasting same SSID and channel appearing as one AP to a client.
Sounds interesting. But is part of the evolution in wireless also not that now the spectrum is saturated where 10 years ago is was hardly used? I mean, my first Mikrotik 2,4Ghz 802.11b outdoor AP on a 8dBi omnidirectional had no problem to communicate with my laptop at some 300-400 meters away. And that communication was the sending of an e-mail.I would like Mikrotik to consider a new type of BaseStation AP
- Something that is possibly modular (where antennas can be mounted to other antennas to form an array of small spot-beam sectors.
- Something that falls under FCC point-to-point higher power rules
- Something that functions simular to a beam-steering phassed-array (where the system acts list a point-to-multi-point system).
Vivato (now out of business) did have two models of phassed-array outdoor BaseStation APs (rated at 2,000 wireless clients per Vivato BaseStation). I still have 16 of them. When Vivato went out of business , I switched over to Mikrotik - because firmware updates for the Vivato were old & dated. Note - I had both Google and the DOD performed testing on my Vivatos phased array BaseStations 10 years ago. They told me they were BLOWN-AWAY because of the long distance (10 miles) they could acheive with a stock notebook computer. Each set of 4 Vivatos (360 degree coverage) were 10 miles apart and they were able to roam from Vivatos to other Vivatos 10 miles away when both Google and the DOD performed their almost month long testing. Each Vivato had around 100 slot-beam antennas. The Vivatos were able to receive & transmit from/to multiple wireless clients at the same time. Their technology used beam-steering with MAC switching on the slot-beam antennas. Depending on where a wireless client was, a client might have a dozen antennas per Vivato they were connected to. Also, the Vivato BaseStations would slightly delay the tx of some antennas to form a directional beam (similar to how a radar system works in a fighter jet - no moving parts - beam steering).
Another company just announced a BaseStation (Ubnt) which is claimed to support the following; 5 Gbps real Aggregate wireless throughput , MU-MIMO , 1,500 wireless clients , 10-Gig Ethernet interface (some serious stuff here !!!)
If the Ubnt BaseStation performs even close to what my Vivatos were doing , then this is a real serious contendor for high-density high-volume high-throughput system.
The current issue today with trying to achieve this with current Mikrotik hardware is that it would require a 120 foot tower physically saturated with almost 100 narrow-beam high-gain overlapping Point-to-Point APs and dish antennas to do the same thing.
I would like to see a Mikrotik system that can achieve the same thing.
North Idaho Tom Jones
The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
This is the feature requests channel. I am requesting a very basic feature that will take all of 30 seconds for somebody to add.If you are only interested in the switch/router the woobm is connected to via USB, then use telnet instead. You're telnet client C&P will work just fine.The woobm is awesome, but it lacks the ability to paste. Please add a "paste" button.
This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you setHi everyone,
Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.
Also then please add a way to disable username / password logins.
/ip ssh set always-allow-password-login=yes
Not for winbox though.This is already available for SSH. You just upload your public cert to the router - and now you can connect only with this cert, unless you setHi everyone,
Please add a way to authenticate with the Mikrotik router using a certificate similar to how you can authenticate with an ssh server using a private/public key pair.
Also then please add a way to disable username / password logins.Code: Select all/ip ssh set always-allow-password-login=yes
Yeah. Also not for WebBox, not for Telnet, not for API...Not for winbox though.
Not a script, but in a Terminal:I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.
If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.
To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!
So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!
{
/interface bridge port remove [find interface=ether1]
/ip dhcp-client add disabled=no interface=ether1
}
/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
Not a script, but in a Terminal:I would also like to be possible to set winbox to a state where changes are pending and the moment all changes done to be able to say commit.
If for example we have the wan port in a bridge with a dhcp-client on the bridge and the we want to remove it from the bridge remotely and add the dhcp-client to the ether1 for example we can't.
To avoid loosing remote access you would need to modify the dhcp-client to the ether1 but you can't because it is a child!
So one needs to remove it from the bridge port and then modify the dhcp-client which would of course has to be done locally... or with a script!orCode: Select all{ /interface bridge port remove [find interface=ether1] /ip dhcp-client add disabled=no interface=ether1 }
Code: Select all/interface bridge port remove [find interface=ether1]; /ip dhcp-client add disabled=no interface=ether1
Just press Terminal on the left of WinBox. If you use "{ }" - commands inside of brackets will be executed when you press Enter after the bracket. Like this:Well I use winbox and/or API so with neither I could do it remotely since I would loose at the first step the remote connection
[admin@s.internal] > {
{... :put "here"
{... :put "we"
{... :put "go!"
{... }
here
we
go!
[admin@s.internal] >
Now you'd wish manufacturers to give one of their main tools to keep clients with them away...A WiFi TDMA mode that is compatible with UBNT airMAX.
We usually have a mix of MikroTik/UBNT access points and clients in our network so we can only use bare 802.11 even when TDMA would perform much better.
Alternative: an IEEE standard for this mode that is implemented by both companies.
+1Netinstall for Linux, or documentation of the netinstall process so it can be programmed for Linux by someone else.
RoMON works only over L2 transparent links. A proxy could be operating at IP level. A nice feature would be to add an IP-level layer to RoMON so you can@TomjNorthIdaho
RoMON
If you can connect to 1st mikrotik via TCP (ssh), than using putty, you can configure additional port forwards on the fly.Winbox proxy ???
It might be nice to be able to connect to another Mikrotik using the 1st mikrotik as a proxy to be able to connect up to a 2nd Mikrotik.
Where , an admin might not be able to directly connecte to the 2nd mikrotik, but if the 1st mikrotik can mac/IP connect to the 2nd then allow a winbox proxy connection through the 1st mikrotik to a 2nd mikrotik.
When testing P2MP networks for best throughput and latency you need to run a test from several CPE's (in a 'all MT' network) and then switch between the different protocols and setting to see what gives best result.
Each time though the connection with AP is lost due a config change, the CPE needs to be opened up again in its winbox session. And each time all settings for the bandwidth test are gone... each time you need to fill these again..
Can bandwidth test not be made to at least remember its settings? It has to be stopped when the CPE drops the connection over the interface the test runs, but it would be o so helpful if the settings for the test just come back after the winbox session is opened again. Just click on 'run' and the test can run again..
Would make it a great time saver in troubleshooting and fine tuning P2MP networks...
+1Please implement a proper auto channel selection that looks at the usage and noise floor of each frequency in the scanlist before choosing a channel.
And not one that just counts how many devices it sees per frequency (as per now): viewtopic.php?f=7&t=122063&p=677377#p600476
So you see it under /system healt print ?CRS112-8P-4S:
SNMP Oid's for PSU1 + PSU2 Voltage or at least a status.
Currently only Temperature under system health supported.
Feature requests - SNMP OID Ethernet link speed
It would be great to have SNMP OIDs for Ethernet link speeds. (if they are there , I have not spotted them yet).
These could be very useful to detect when an Ethernet link changes link speed. Such as when what is/was supposed to be a 1-Gig link changes to a 100 meg link.
North Idaho Tom Jones
$ snmpwalk -v2c -c public 192.168.88.1 |grep ifSpeed
IF-MIB::ifSpeed.1 = Gauge32: 0
IF-MIB::ifSpeed.2 = Gauge32: 1000000000
IF-MIB::ifSpeed.3 = Gauge32: 1000000000
IF-MIB::ifSpeed.4 = Gauge32: 0
IF-MIB::ifSpeed.5 = Gauge32: 100000000
IF-MIB::ifSpeed.6 = Gauge32: 1000000000
IF-MIB::ifSpeed.7 = Gauge32: 0
IF-MIB::ifSpeed.8 = Gauge32: 0
IF-MIB::ifSpeed.9 = Gauge32: 1000000000
IF-MIB::ifSpeed.10 = Gauge32: 1000000000
IF-MIB::ifSpeed.12 = Gauge32: 100000000
IF-MIB::ifSpeed.14 = Gauge32: 1000000000
IF-MIB::ifSpeed.15 = Gauge32: 0
IF-MIB::ifSpeed.17 = Gauge32: 0
IF-MIB::ifSpeed.18 = Gauge32: 100000000
IF-MIB::ifSpeed.21 = Gauge32: 10000000
IF-MIB::ifSpeed.22 = Gauge32: 0
IF-MIB::ifSpeed.24 = Gauge32: 0
IF-MIB::ifSpeed.25 = Gauge32: 1000000000
+1 !!!!!!Feature requests - SNMP OID Ethernet link speed
It would be great to have SNMP OIDs for Ethernet link speeds. (if they are there , I have not spotted them yet).
These could be very useful to detect when an Ethernet link changes link speed. Such as when what is/was supposed to be a 1-Gig link changes to a 100 meg link.
North Idaho Tom Jones
snmpwalk -v2c -c public 192.168.0.1 .1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 = Gauge32: 1000000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifSpeed.3 = Gauge32: 0
IF-MIB::ifSpeed.4 = Gauge32: 1000000000
IF-MIB::ifSpeed.5 = Gauge32: 1000000000
IF-MIB::ifSpeed.6 = Gauge32: 10000000
IF-MIB::ifSpeed.8 = Gauge32: 1000000000
IF-MIB::ifSpeed.9 = Gauge32: 100000000
IF-MIB::ifSpeed.10 = Gauge32: 1000000000
snmpwalk -v2c -c public 192.168.0.1 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: ether1-Wan
IF-MIB::ifDescr.2 = STRING: bridge_vlan1
IF-MIB::ifDescr.3 = STRING: ether3
IF-MIB::ifDescr.4 = STRING: ether4-Win_Server
IF-MIB::ifDescr.5 = STRING: ether5-Linux_server
IF-MIB::ifDescr.6 = STRING: pptp-in1
IF-MIB::ifDescr.8 = STRING: ether2-Cisco-Switch
IF-MIB::ifDescr.9 = STRING: bridge-vlan20
IF-MIB::ifDescr.10 = STRING: eth2-vlan20
snmpwalk -v2c -c public 192.168.0.80 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: wlan1
IF-MIB::ifDescr.2 = STRING: ether1
IF-MIB::ifDescr.3 = STRING: ether2
IF-MIB::ifDescr.4 = STRING: ether3
IF-MIB::ifDescr.5 = STRING: ether4
IF-MIB::ifDescr.6 = STRING: bridge
snmpwalk -v2c -c public 192.168.0.80 .1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 = Gauge32: 50000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifSpeed.3 = Gauge32: 0
IF-MIB::ifSpeed.4 = Gauge32: 0
IF-MIB::ifSpeed.5 = Gauge32: 10000000
IF-MIB::ifSpeed.6 = Gauge32: 100000000
news?hi guys, it seems to me that it is still not possible to change the date format in dd/mm/yyyy. It would be very useful as I also work with userman reports.
Does anyone have a solution?
thank you
Valerio
Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
+1I would like to see something like triggers when an interface state changes, so router can run a script (like ip-up/ip-down on "real" Linuxes).
The underlying Linux mechanism does have a "list of lists" feature so it would be easy to add a "list12" that has "list1" and "list2" as members and then specify that as src-address-list.Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
http://prntscr.com/kq653h
Also do the same on src/dst-address and in/out-interface so we don't have to create a list if just needing a rule with two or three addresses as it makes config more neat.
But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?The underlying Linux mechanism does have a "list of lists" feature so it would be easy to add a "list12" that has "list1" and "list2" as members and then specify that as src-address-list.Please this to be able to use several lists on a single rule without having to copy them together manually or by scripting.1. IP firewall address lists could include one another (or firewall rules could match multiple lists at once, e.g. "src-address-list=list1,list2").
http://prntscr.com/kq653h
Also do the same on src/dst-address and in/out-interface so we don't have to create a list if just needing a rule with two or three addresses as it makes config more neat.
There is no support to have several lists or several addresses in a single firewall item. You can only do that by having several separate items and indeed that is what happens when you try that in Linux.
(you insert a simple rule with different addresses and when you look later you have several rules in your table)
It would not be a good idea to do that because it introduces new possibilities for bugs.But what is preventing Mikrotik from making it possible to create hidden lists from several IPs specified in a single rule or having a rule match if IP exists in list A or list B?
Tom:NV2 - increase NV2 client scan-for-AP b4 connect to AP
Unlike 802.11 or nstream, nv2 clients do not background scan for better APs to connect or roam to. All client nv2 connections want to stay connected to the original nv2 AP they first connected to. Longer nv2 client scan times would at least get equal client-connect loads distributed evenly among all nv2 APs of equal signal strength found in the client nv2 scan list.
North Idaho Tom Jones
How about performing an IP / neighbor command on your main router (that should 'see' all units) and order by device type? You'll immediately see if a units is 'n' or 'ac'. My antenas all have their designated AP in their name so I can then also set the filter and thus see in an instance which units are 'n' or 'ac' (and thus can do 80Mhz wide channel in 'ac') for each AP.Re: Feature requests (ability to view wireless capabilities)
Is there a feature to see/view the capabilities of a wireless wlan ?
If not , then I would like to see a new feature to show the wireless capabilities and possible settings.
My issue, I have more than 1,000 nv2 client Mikrotiks. I currently use a Linux expect script to sequentially connect up to each client and perform some commands. The results of the commands are stored in a directory on my Linux machine (results-directory/IP-address-of-client-mikrotik). I am then able to grep the results-directory for pattern matches I am looking for and with this list, I am then able to obtain a client list of IP addresses I am searching for.
I am searching for a method to find all client Mikrotiks that are AC capable, and/or Ceee capable, and/or 2x2 capable. My problem is, I don't know the client wireless capabilities without actually attempting to configure the wireless interface. Thus, it would be a nice feature to be able to print the wireless capabilities without actually making wireless configuration changes.
North Idaho Tom Jones
rfc 6286 - AS-wide Unique BGP Identifier for BGP-4 support for routerOS BGP.
it relaxes some strict definitions: routerid can be now an arbitrary 32 bit unsigned integer, while the older definition restricts it to "valid unicast address".
this breaks BGP compatibility with mikrotik devices right now if not taken in consideration.
in general you only need to remove the check that was required in rfc4271.
this needs to be worked out with IPv6-only devices where you don't have no IPv4 address to be used as bgp identifer.
opened a support request for it earlier today:Just ran into this issue today.
@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.A WISP could possibly use something like this to play a sound file ...
It would pretty much be a tool for what ever a Mikrotik admin might want/need. Also , because I am suggesting it be an optional package, it would not necessarily be pre-loaded on a fresh Mikrotik router. This optional package could potentially be a nifty tool when used with scripts (including netwatch) to provide audio/verbal information. Also , because I know this type of motherboard speaker driver works on old/slow 16 MHz 16-bit computers , it would not be a Mikrotik resource drain sucking performance away from L2/L3 throughput.@TomjNorthIdaho: So it's enterprise feature then? That's good, it won't agitate people for being another frivolous home feature.A WISP could possibly use something like this to play a sound file ...
How about the possibilities of a new wireless driver for Wireless chipsets ? With a developent package , a new wireless driver could be created (using all of the available Atheros chipset registers/settings) to make new high-performance high-thoughput wireless drivers (such as a new/better nv2 'TDMA') system that might way outperform the current Mikrotik properitery hybrid TDMA (nv2). Or how about the tens of thousands of Linux drivers and applications/tools/utilities already freely available.Good luck with that. It doesn't seem to me that MikroTik is much for opening up. For example, according to developer of open-source MAC telnet, they don't even want to share details about new 6.43+ authentication, which is something that has no reason to be secret. And you want them to let you plug in your own code in their kernel...
But it could be nice. Even if it was something significantly more modest, just custom packages for strictly user-space non-root stuff. You could easily add custom services, simple web server, full-featured DNS server, UDP proxy, etc. Things that people sometimes want and MikroTik is not eager to implement. Combine it with some API to integrate own configuration interface for these things in WinBox/WebFix/CLI and it would be wonderful. But I'm not holding my breath.
Yes it would certainly be nice to have user-mode daemons under isolated user IDs so they cannot mess with the MikroTik part of the system, but frankly I doubt that the infrastructure for that is currently in place."my plan" (if we can call it that) seems more realistic, because even though they would lose some control, isolated package could not easily mess up whole system.
I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
System > scripts > environment (both winbox and webfig) ( it's only the current values however)There sould be a new section, a table in webfig and in winbox for global variables with initial values.
Such request is pretty useless. Defince what you consider "complete"? Which features you are missing?I join the request, i need secure way to use NordVPN.
I'd like to ask to complete IPSEC/IKEv2 implementation.
Motivation is : lots of VPN providers - NordVPN and others - are moving to that, leaving L2TP/IPsec disappearing.
This can be done using scripting. The underlying mechanism in the kernel does not support a DNS name so it would have to be solved in a similar way.Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
Isn't the support already here for some time?.. quite long time...Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
What's new in 6.33 (2015-Nov-06 12:49):
*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
Why not just unset it?Yes, it's there, but only for remote address. Local address accepts only IP address.
Yeah, in nginx you simply use try_files for your custom files on local server and proxy_pass to the original MikroTik server for the restIn that case one can choose to retrieve the LATEST file from a local server and still get the npk files from "upgrade.mikrotik.com".
(so it is not required to keep a complete mirror of those files)
But of course it should be possible to mimic that with a reasonably flexible "transparent proxy" (that allows some files to be served locally and the remainder to be proxied)
I should have provided more detail.Isn't the support already here for some time?.. quite long time...Please consider adding FQDN and DDNS support to the Local and Remote Address fields of the GRE Interface.
What's new in 6.33 (2015-Nov-06 12:49):
*) tunnels - eoip,eoipv6,gre,gre6,ipip,ipipv6,6to4 tunnels now support dns name as remote address;
+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.Please add:
MAC address lists
Port lists in Firewall
Having MAC addresses in a list would not be very useful for that. What you want is to match MAC address by prefix, usually by the first 3 octets (manufacturer).+1 for allowing MAC address prefixes in lists as well for identify entire classes of devices like VoIP phones.
So, updates work via plain HTTP? No encryption?Well, as I can see, you just create static DNS entry on the router "upgrade.mikrotik.com" with the IP of your server, then run HTTP server on that IP, serving one-line files "/routeros/LATEST.(6|6fix|6rc|7)" containing "$VERSION $TIMESTAMP" (for example, "1.0 1"). Then create "/routeros/$VERSION" dir with CHANGELOG (any text you want to see) and .npk files. Done
Why shame? There is absolutely no problem with that!So, updates work via plain HTTP? No encryption?
Shame!
Because there is no excuse anymore for any service to run without TLS. Certificates are free (if not dirt cheap for those that don't - for whatever reason - like Let's Encrypt).Why shame?
Yeah, it's fine. Until it somehow gets exploited in the future.Remember the update files themselves are signed! The signature is verified before they are installed.
So http is fine.
Microsoft's policies are not an example to be copied.You know, Windows is using http download for windows update as well.
I never inferred that. Logging in to some website is COMPLETELY DIFFERENT from downloading a firmware update.Sure,
So next time you login to your web-banking do not check for TLS.
TLS would remove the possibility to have a local update repository on a closed network. At least until the update URL is made configurable.So yeah, TLS would not hurt and could help some people sleep better.
This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
Create a 'viw' /session, with those things enabled (And maybe your favourite screens setup and layed out), then use that as your default session view, along with unticking autosave so no matter what you do in that session it resets next time you log-in.The ability to force CPU, uptime, date etc on all winbox sessions.
Instead of having to do it individually
That would be almost okay if the graphs had some authentication built into them as well as opposed to just an ip whitelist.This is done in 'graphing' you can set up resource graphs and access them through webfig (at login hit the 'Graphs' button underneath the login)Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
This will keep a daily, weekly and yearly graph if i remember correctly, daily being 5 minute poll, weekly being 2 hour and yearly being 1 day or something to that effect.
Here is a screenshot form my Splunk Mikrotik project found here: viewtopic.php?t=137338Please add average cpu usage for the last day / month / year whatever. This makes it possible to at a glance see how hard a router is working.
If IP whitelist is not enough, you can limit it to VPN via firewall.1) unsecured graphing which can't be queried using a script anyway
Mikrotik has "The Dude" which works well enough as SNMP server. It is not masterpiece, has its own bugs, but works.2) have to run a 3rd party snmp server because there is no snmp server from Mikrotik
Unsure what do you mean. You can query SNMP from router.... and no ability to query snmp registers from the router itself.
Everyone will ask for different average. Someone will ask for 5m, someone for 1hour, someone for 1day... Cmon, if you have such specific requirements, is it really that hard to make own script, which will grab SNMP counters and show you absolutely anything you can imagine?Surely there's a point where it's simpler to just add in an average counter in the resources tab which can be scripted...
It's okay, I apologize for getting a bit irritated as well. I appreciate your suggestion and will give it a try.@Wyz4k No. I should apologize. I didn't realize it will sound so aggressive. This is certainly about "feature requests". Sometime, requests are great. Sometime not - people submit them due to misunderstanding or lack of information. I just tried to correct some of your statements and I didn't mean to offend you
Your feature is already implemented in RC/testing version. And some people don't like it...I'm new to the forum, and I'd like to know where is the right place for a feature request.
No, RADIUS is not a pool manager it can assign statics, software behind RADIUS would need to still manage a pool, which can get out of sync if you miss a stop record or something.That is already possible via RADIUS!
Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201
Proposed:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200,201
Current:
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=200
/interface ethernet switch vlan add ports=sfp1,sfp2 vlan-id=201
Proposed:
/interface list add name=sfp-list
/interface list member add interface=sfp1 list=sfp-list
/interface list member add interface=sfp2 list=sfp-list
/interface ethernet switch vlan add ports=sfp-list vlan-id=200,201
Thanks for explanation, I didn't know what's the underlying implementation of interface lists. Well, the idea(1) is still nice to have, since my vlan table entries contain same trunk ports.Remember that interface lists are handled by the CPU. An interface list is just a bit set in the interface definition which can be matched e.g. in the firewall ("is this bit set for the interface where this packet arrived") by the processor.
This is entirely different from switch programming, where a fixed mapping between devices and vlans is programmed in an external chip essentially one-time (at startup) and the mapping is only used by the switch chip, not by the processor.
There should simply be the possibility to add "user graphing" where an SNMP OID is entered and the value is graphed. It has been requested before.It would be really nice if MikroTik would add the ability to graph health information such as voltage and temperature and no I'm not referring about SNMP and API, I am referring to tools->graphing,the same way as resources, queues and interfaces are graphed.
PLEASE!MT please consider doing some BGP and routing-related fixes for christmas.
Would make A LOT of MT users very, very happy! Just to give some examples:
- multi-threading
- BGP4 SNMP MIBs
- better BGP convergence time
- faster route table searches
- fix ipv6 route reflection
- add RPKI support
Hello. It's not a feature request.Hello, why mikrotik does not have the ability to better define user permissions based on roles?
I fully underwrite these features requests. The problem is only I have made almost the same, and more, request on Winbox improvement several times over the years and never even got a reply..... None of these 'ergonomic' adjustments are ever implemented.Features Request!
a. Winbox, lets suppose we want to remove 5 columns and add 6 more. That would require to do 11 times the same thing since the list closes every time. Wouldn't it be easier (for the users not the programmer!) to have check box in front of every option, so as to check-uncheck whatever needed?
b. Winbox again. Wouldn't a rule copy from the start page be easier using the right click? got add-remove-enable-disable etc but no copy. Less windows-less clicks
c. Again winbox! Start page of a menu again (e.g. Firewall). A drop menu for the options (when double-clicked?) would be much faster to change an option. Combined with the second request, making a copy of rule and changing one option would be sth like right click-->copy rule--> double click new rule option-->choose new option.
Yup - it can be a little frustrating when a video about Mikrotik is not in English (the only language I know).And now, for something completely different: (no, not the larch)
With all those YouTube videos from MUM taken from all over the world, it would be nice when the language of the video is always visible in the title.
Some of them are in English or another language I could understand, but more often they are completely incomprehensible to me and it would be useful to make that selection already in the title listing.